Sophie: file-5.12-8.8.mga3 src

file-5.12-8.8.mga3.src.rpm

--- file-5.18/src/cdf.c.orig	2014-02-27 18:26:17.000000000 -0500
+++ file-5.18/src/cdf.c	2014-06-02 13:20:59.174852051 -0400
@@ -352,10 +352,10 @@ cdf_read_short_sector(const cdf_stream_t
 	size_t ss = CDF_SHORT_SEC_SIZE(h);
 	size_t pos = CDF_SHORT_SEC_POS(h, id);
 	assert(ss == len);
-	if (pos > CDF_SEC_SIZE(h) * sst->sst_len) {
+	if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
 		DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
 		    SIZE_T_FORMAT "u\n",
-		    pos, CDF_SEC_SIZE(h) * sst->sst_len));
+		    pos + len, CDF_SEC_SIZE(h) * sst->sst_len));
 		return -1;
 	}
 	(void)memcpy(((char *)buf) + offs,
@@ -472,6 +472,11 @@ cdf_count_chain(const cdf_sat_t *sat, cd
 		}
 		sid = CDF_TOLE4((uint32_t)sat->sat_tab[sid]);
 	}
+	if (i == 0) {
+		DPRINTF((" none, sid: %d\n", sid));
+		return (size_t)-1;
+
+	}
 	DPRINTF(("\n"));
 	return i;
 }
@@ -813,6 +827,10 @@ cdf_read_property_info(const cdf_stream_
 		    i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
 		if (inp[i].pi_type & CDF_VECTOR) {
 			nelements = CDF_GETUINT32(q, 1);
+			if (nelements == 0) {
+				DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+				goto out;
+			}
 			o = 2;
 		} else {
 			nelements = 1;
@@ -887,7 +905,9 @@ cdf_read_property_info(const cdf_stream_
 			}
 			DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
 			    nelements));
-			for (j = 0; j < nelements; j++, i++) {
+			for (j = 0; j < nelements && i < sh.sh_properties;
+			    j++, i++)
+			{
 				uint32_t l = CDF_GETUINT32(q, o);
 				inp[i].pi_str.s_len = l;
 				inp[i].pi_str.s_buf = (const char *)
@@ -932,7 +952,7 @@ int
 cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h,
     cdf_summary_info_header_t *ssi, cdf_property_info_t **info, size_t *count)
 {
-	size_t i, maxcount;
+	size_t maxcount;
 	const cdf_summary_info_header_t *si =
 	    CAST(const cdf_summary_info_header_t *, sst->sst_tab);
 	const cdf_section_declaration_t *sd =
@@ -947,21 +967,13 @@ cdf_unpack_summary_info(const cdf_stream
 	ssi->si_os = CDF_TOLE2(si->si_os);
 	ssi->si_class = si->si_class;
 	cdf_swap_class(&ssi->si_class);
-	ssi->si_count = CDF_TOLE2(si->si_count);
+	ssi->si_count = CDF_TOLE4(si->si_count);
 	*count = 0;
 	maxcount = 0;
 	*info = NULL;
-	for (i = 0; i < CDF_TOLE4(si->si_count); i++) {
-		if (i >= CDF_LOOP_LIMIT) {
-			DPRINTF(("Unpack summary info loop limit"));
-			errno = EFTYPE;
-			return -1;
-		}
-		if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset),
-		    info, count, &maxcount) == -1) {
-			return -1;
-		}
-	}
+	if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), info,
+	    count, &maxcount) == -1)
+		return -1;
 	return 0;
 }
 
--- file-5.18/src/readcdf.c.orig	2014-03-26 11:28:34.000000000 -0400
+++ file-5.18/src/readcdf.c	2014-06-02 13:21:15.634916277 -0400
@@ -173,12 +180,11 @@ cdf_file_property_info(struct magic_set
                                 if (info[i].pi_type == CDF_LENGTH32_WSTRING)
                                     k++;
                                 s = info[i].pi_str.s_buf;
-                                for (j = 0; j < sizeof(vbuf) && len--;
-                                    j++, s += k) {
+                                for (j = 0; j < sizeof(vbuf) && len--; s += k) {
                                         if (*s == '\0')
                                                 break;
                                         if (isprint((unsigned char)*s))
-                                                vbuf[j] = *s;
+                                                vbuf[j++] = *s;
                                 }
                                 if (j == sizeof(vbuf))
                                         --j;